Merge branch 'main' into jtc/fix-tags

2023-09-20 12:40:09 -05:00 · 2023-09-20 12:40:09 -05:00 · 15a49ce9c2
parent 8ec22b9a73 1ac8691199
commit 15a49ce9c2
5 changed files with 77 additions and 15 deletions
--- a/site/content/docs/howto/cicd.md
+++ b/site/content/docs/howto/cicd.md
@ -0,0 +1,56 @@
+---
+title: Using Pinniped for CI/CD cluster operations
+description: Using Pinniped for CI/CD cluster operations.
+cascade:
+  layout: docs
+menu:
+  docs:
+    name: Use Pinniped for CI/CD
+    weight: 500
+    parent: howtos
+---
+
+This guide shows you how to configure Pinniped so that your CI/CD system of choice can administrate Kubernetes clusters.
+
+Pinniped provides user authentication to Kubernetes clusters.
+It does not provide service-to-service (non-user) authentication.
+There are many other systems for service-to-service authentication in Kubernetes.
+
+If an organization prefers to manage CI/CD access with non-human user accounts in their IDP, Pinniped can provide authentication for those
+non-human user accounts. Humans can also use the same steps below to log into clusters non-interactively.
+
+Note that the guide below assumes that you are using a non-human user account within the IDP of your choice.
+It is never recommended to use a human's credentials for CI/CD or other automated processes.
+
+## Prerequisites
+
+This how-to guide assumes that you have already configured the following Pinniped server-side components within your Kubernetes cluster(s):
+
+1. Pinniped Supervisor with a working FederationDomain and at least one IdentityProvider (LDAP, AD, or OIDC)
+   * The Supervisor installation could be on a completely separate cluster unrelated to your CI/CD
+2. Pinniped Concierge on each cluster that needs to be administrated by your CI/CD system
+   * It is possible to use the Pinniped CLI to log into any cluster configured with
+[OIDC authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens),
+see [here]({{< ref "../tutorials/supervisor-without-concierge-demo" >}}). This would not require Concierge to be installed
+on each cluster.
+3. A CI/CD system that meets the following conditions:
+   * It can handle secrets safely and provide them to tasks as environment variables
+   * It can run shell scripts, or at least invoke binaries (such as `pinniped` and `kubectl`) 
+   * It can access Pinniped-style kubeconfigs for each cluster
+4. A user account (that does not represent a human) within the IDP of your choice
+   * This account should be granted the least amount of privileges necessary
+   * This account should likely be single-purposed for CI/CD use
+
+## Overview
+
+1. A CI/CD admin should generate the Pinniped-style kubeconfig for each cluster that needs to be administered by CI/CD
+   and make those kubeconfigs available to CI/CD
+   * Be sure to use `pinniped get kubeconfig` with option `--upstream-identity-provider-flow=cli_password` to authenticate non-interactively (without a browser)
+   * When using OIDC, the optional CLI-based flow must be enabled by the administrator in the OIDCIdentityProvider configuration before use
+     (see `allowPasswordGrant` in the [API docs](https://github.com/vmware-tanzu/pinniped/blob/main/generated/{{< latestcodegenversion >}}/README.adoc#oidcauthorizationconfig) for more details).
+2. A CI/CD admin should make the non-human user account credentials available to CI/CD tasks
+3. Each CI/CD task should set the environment variables `PINNIPED_USERNAME` and `PINNIPED_PASSWORD` for the `kubectl` process to avoid the interactive prompts.
+The values should be provided from the non-human user account credentials.
+
+At this point, your CI/CD has now authenticated into your kubernetes cluster.
+Be sure to set up the appropriate IDP groups and Kubernetes roles to enable your non-human user account to perform the necessary operations.
--- a/site/resources/_gen/assets/scss/scss/site.scss_57bddf56b810cfd059d5f90b3dc00f4f.content
+++ b/site/resources/_gen/assets/scss/scss/site.scss_57bddf56b810cfd059d5f90b3dc00f4f.content
--- a/site/themes/pinniped/assets/scss/_base.scss
+++ b/site/themes/pinniped/assets/scss/_base.scss
@ -22,6 +22,12 @@ body {
    max-width: 980px;
    margin: 0px auto;
    padding: 20px;
+    .hero {
+        h1, .h1 {
+            color: #fff;
+            line-height: 1em;
+        }
+    }
    @include breakpoint(small) {
        max-width: 100%;
    }
@ -42,10 +48,10 @@ body {
 h1, h2, h3, h4, h5, h6 {
    font-weight: 300;
 }
-h1 {
+h1, .h1 {
    font-size: 36px;
 }
-h2 {
+h2, .h2 {
    font-size: 28px;
 }
 h3 {
@ -150,7 +156,7 @@ button {
    font-weight: normal;
    font-style: normal;
  }
-  
+
  @font-face {
    font-family: "Metropolis-BoldItalic";
    src:url("/fonts/Metropolis-BoldItalic.eot");
@ -160,7 +166,7 @@ button {
    font-weight: normal;
    font-style: normal;
  }
-  
+
  @font-face {
    font-family: "Metropolis-Light";
    src:url("/fonts/Metropolis-Light.eot");
@ -170,7 +176,7 @@ button {
    font-weight: normal;
    font-style: normal;
  }
-  
+
  @font-face {
    font-family: "Metropolis-LightItalic";
    src:url("/fonts/Metropolis-LightItalic.eot");
@ -180,7 +186,7 @@ button {
    font-weight: normal;
    font-style: normal;
  }
-  
+
  @font-face {
    font-family: "Metropolis-Regular";
    src:url("/fonts/Metropolis-Regular.eot");
@ -190,7 +196,7 @@ button {
    font-weight: normal;
    font-style: normal;
  }
-  
+
  @font-face {
    font-family: "Metropolis-RegularItalic";
    src:url("/fonts/Metropolis-RegularItalic.eot");
@ -200,7 +206,7 @@ button {
    font-weight: normal;
    font-style: normal;
  }
-  
+
  @font-face {
    font-family: "Metropolis-Medium";
    src:url("/fonts/Metropolis-Medium.eot");
@ -210,7 +216,7 @@ button {
    font-weight: normal;
    font-style: normal;
  }
-  
+
  @font-face {
    font-family: "Metropolis-MediumItalic";
    src:url("/fonts/Metropolis-MediumItalic.eot");
@ -220,7 +226,7 @@ button {
    font-weight: normal;
    font-style: normal;
  }
-  
+
  @font-face {
    font-family: "Metropolis-SemiBold";
    src:url("/fonts/Metropolis-SemiBold.eot");
@ -230,7 +236,7 @@ button {
    font-weight: normal;
    font-style: normal;
  }
-  
+
  @font-face {
    font-family: "Metropolis-SemiBoldItalic";
    src:url("/fonts/Metropolis-SemiBoldItalic.eot");
--- a/site/themes/pinniped/assets/scss/_components.scss
+++ b/site/themes/pinniped/assets/scss/_components.scss
@ -36,7 +36,7 @@ pre.chroma {
            color: $white;
        }
    }
-    h2 {
+    h2, .h2 {
        font-size: 36px;
    }
    &.homepage {
--- a/site/themes/pinniped/layouts/_default/single.html
+++ b/site/themes/pinniped/layouts/_default/single.html
@ -3,12 +3,12 @@
 		<article>
 			<div class="hero subpage">
 				<div class="wrapper">
-					<h1>Pinniped blog</h1>
+					<h2 class="h1">Pinniped blog</h2>
 				</div>
 			</div>
 			<div class="wrapper blog">
 				<div class="blog-post">
-					<h2>{{ .Title }}</h2>
+					<h1 class="h2">{{ .Title }}</h1>
 					{{ partial "authors" .}}
 					<p class="date">{{ dateFormat "Jan 2, 2006" .Date }}</p>
 					{{ .Content }}